The Transportation Security Administration (TSA) is under fire for its handling of cybersecurity vulnerabilities, particularly ransomware, in the transportation sector. A report by the U.S. Government Accountability Office (GAO), released on Tuesday, revealed that the TSA has not implemented four of six key cybersecurity recommendations made since 2018.
Inadequate Ransomware Efforts
One unaddressed recommendation involves evaluating how well the transportation sector is adopting practices to reduce ransomware risks. According to Tina Won Sherman, Director of Homeland Security and Justice at the GAO, the TSA’s security directives do not align with leading practices outlined by the National Institute of Standards and Technology (NIST).
The GAO urged the Department of Homeland Security (DHS) to develop routine evaluation procedures for ransomware-related support and to conduct sector-specific risk assessments focused on operational technology. As of November 2024, these recommendations remain unimplemented.
Sherman stated, “Ransomware has increasingly devastating impacts in the transportation sector, but TSA has not fully assessed the effectiveness of its measures.”
Progress and Challenges
Of the six recommendations, only one has been fully addressed: developing a comprehensive strategy to expand TSA’s cybersecurity workforce. Efforts to update the TSA’s 2010 Pipeline Security and Incident Recovery Protocol Plan to include cybersecurity were partially completed.
While the TSA issued five cybersecurity directives following the 2021 Colonial Pipeline ransomware attack, the GAO criticized the agency for lacking metrics to measure the effectiveness of these efforts.
Proposed Rule and Industry Backlash
Last week, the TSA issued a notice of proposed rulemaking to codify cybersecurity requirements for freight rail, passenger rail, and pipeline industries. However, industry leaders have criticized the proposed rule for replicating existing regulations and requiring companies to submit sensitive security information.
Kimberly Denbow of the American Gas Association argued that forcing companies to hand over detailed network architecture and critical cyber systems data to TSA creates significant vulnerabilities.
“No system is perfectly secure, and aggregating sensitive information in a centralized location poses unnecessary risks,” Denbow said during a House Homeland Security Subcommittee hearing. She suggested on-site inspections instead of requiring companies to submit sensitive data.
TSA’s Resource Constraints
TSA executives acknowledged industry concerns but pointed to resource limitations. Steve Lorincz, a TSA official, explained that on-site inspections could extend timelines and require additional staffing and funding.
“We currently have about 60 employees to oversee 155 entities in the sector,” Lorincz said, highlighting the need for increased resources if TSA shifts to more extensive inspections.
Looking Ahead
The GAO report underscores the TSA’s need to address cybersecurity risks more effectively while balancing industry concerns. As the transportation sector remains a critical target for ransomware attacks, both the TSA and private companies must find common ground to enhance security without creating additional vulnerabilities.
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
